If you are using the NIO or NIO connectors in Tomcat, please upgrade at
your earliest convenience.
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Sep 15, 2021 at 11:53 AM
Subject: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
CVE-2021-41079 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.2
Apache Tomcat 9.0.0-M1 to 9.0.43
Apache Tomcat 8.5.0 to 8.5.63
Description:
When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a
specially crafted packet could be used to trigger an infinite loop
resulting in a denial of service.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.4 or later
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later
Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote
for the 10.0.3 release candidate did not pass. Therefore, although users
must download 10.0.4 to obtain a version that includes a fix for this
issue, version 10.0.3 is not included in the list of affected versions.
Credit:
The Apache Tomcat Security Team would like to thank:
- Thomas Wozenilek for originally reporting this issue
- David Frankson of Infinite Campus for providing a test case that
reproduced the issue.
History:
2021-09-15 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
